@stackwright-pro/auth-nextjs 0.2.0-alpha.7 → 0.3.0-alpha.0

package/README.md

@@ -10,10 +10,35 @@ pnpm add @stackwright-pro/auth-nextjs
 
 ## Usage
 
-### Middleware (Route Protection)
+### Proxy (Next.js >=16 — Recommended)
+
+Next.js 16 deprecated the `middleware.ts` convention in favor of `proxy.ts`. Use `createAuthProxy` for new projects:
 
 ```typescript
-// middleware.ts
+// proxy.ts (project root)
+import { createAuthProxy } from '@stackwright-pro/auth-nextjs';
+import { sessionManager, rbacEngine, authConfig } from './lib/auth';
+
+export default createAuthProxy({
+  authConfig,
+  sessionManager,
+  rbacEngine,
+  cookieName: 'my_session',
+  loginUrl: '/login',
+  unauthorizedUrl: '/403',
+});
+
+export const config = {
+  matcher: ['/((?!_next|api/auth|login).*)'],
+};
+```
+
+### Middleware (Next.js 14–15 — Legacy)
+
+> **Deprecated**: For Next.js >=16, use `createAuthProxy` above instead.
+
+```typescript
+// middleware.ts (project root)
 import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';
 import { sessionManager, rbacEngine, authConfig } from './lib/auth';
 
@@ -59,11 +84,18 @@ import { setSessionCookie } from '@stackwright-pro/auth-nextjs';
 export default async function handler(req, res) {
   const session = await authenticateUser(req.body);
   const jwt = await sessionManager.serialize(session);
-  
+
   setSessionCookie(res, jwt, {
     maxAge: 900, // 15 minutes
   });
-  
+
   res.json({ success: true });
 }
 ```
+
+## Subpath Exports
+
+| Import path                          | Convention                  | Next.js version |
+| ------------------------------------ | --------------------------- | --------------- |
+| `@stackwright-pro/auth-nextjs`       | Both exports available      | All             |
+| `@stackwright-pro/auth-nextjs/proxy` | Proxy only (tree-shakeable) | >=16            |

package/dist/chunk-MFZSH4YL.mjs

@@ -0,0 +1,58 @@
+// src/auth-handler.ts
+import { NextResponse } from "next/server";
+function createAuthHandler(config) {
+  const {
+    sessionManager,
+    rbacEngine,
+    cookieName = "stackwright_session",
+    loginUrl = "/login",
+    unauthorizedUrl = "/unauthorized"
+  } = config;
+  return async function authHandler(request) {
+    const { pathname } = request.nextUrl;
+    if (rbacEngine.isPublicRoute(pathname)) {
+      return void 0;
+    }
+    const sessionCookie = request.cookies.get(cookieName);
+    let session = null;
+    if (sessionCookie) {
+      session = await sessionManager.deserialize(sessionCookie.value);
+    }
+    if (!session || sessionManager.isExpired(session)) {
+      const url = request.nextUrl.clone();
+      url.pathname = loginUrl;
+      url.searchParams.set("redirect", pathname);
+      return NextResponse.redirect(url);
+    }
+    if (!rbacEngine.canAccessRoute(session.user, pathname)) {
+      const url = request.nextUrl.clone();
+      url.pathname = unauthorizedUrl;
+      return NextResponse.redirect(url);
+    }
+    if (sessionManager.shouldRefresh(session)) {
+      const refreshed = await sessionManager.refreshSession(session);
+      const newJwt = await sessionManager.serialize(refreshed);
+      const response = NextResponse.next();
+      response.cookies.set(cookieName, newJwt, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax",
+        maxAge: 900
+        // 15 minutes
+      });
+      return response;
+    }
+    return void 0;
+  };
+}
+
+// src/proxy.ts
+function createAuthProxy(config) {
+  return createAuthHandler(config);
+}
+
+export {
+  createAuthHandler,
+  createAuthProxy
+};
+//# sourceMappingURL=chunk-MFZSH4YL.mjs.map

package/dist/chunk-MFZSH4YL.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth-handler.ts","../src/proxy.ts"],"sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  SessionManager,\n  RBACEngine,\n  type AuthConfig,\n  type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface AuthHandlerConfig {\n  /**\n   * Auth configuration\n   */\n  authConfig: AuthConfig;\n\n  /**\n   * Session manager instance\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * RBAC engine instance\n   */\n  rbacEngine: RBACEngine;\n\n  /**\n   * Cookie name for session (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * URL to redirect to when authentication fails (default: '/login')\n   */\n  loginUrl?: string;\n\n  /**\n   * URL to redirect to when authorization fails (default: '/unauthorized')\n   */\n  unauthorizedUrl?: string;\n}\n\n/**\n * Core auth handler shared by both the middleware (Next.js <16) and\n * proxy (Next.js >=16) conventions.\n *\n * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.\n */\nexport function createAuthHandler(config: AuthHandlerConfig) {\n  const {\n    sessionManager,\n    rbacEngine,\n    cookieName = 'stackwright_session',\n    loginUrl = '/login',\n    unauthorizedUrl = '/unauthorized',\n  } = config;\n\n  return async function authHandler(request: NextRequest): Promise<NextResponse | undefined> {\n    const { pathname } = request.nextUrl;\n\n    // Check if route is public\n    if (rbacEngine.isPublicRoute(pathname)) {\n      return undefined; // Continue to next handler\n    }\n\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n    let session: AuthSession | null = null;\n\n    if (sessionCookie) {\n      session = await sessionManager.deserialize(sessionCookie.value);\n    }\n\n    // Check if session is valid\n    if (!session || sessionManager.isExpired(session)) {\n      // Redirect to login\n      const url = request.nextUrl.clone();\n      url.pathname = loginUrl;\n      url.searchParams.set('redirect', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    // Check if user can access route\n    if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n      // Redirect to unauthorized\n      const url = request.nextUrl.clone();\n      url.pathname = unauthorizedUrl;\n      return NextResponse.redirect(url);\n    }\n\n    // Refresh session if needed\n    if (sessionManager.shouldRefresh(session)) {\n      const refreshed = await sessionManager.refreshSession(session);\n      const newJwt = await sessionManager.serialize(refreshed);\n\n      const response = NextResponse.next();\n      response.cookies.set(cookieName, newJwt, {\n        httpOnly: true,\n        secure: true,\n        sameSite: 'lax',\n        maxAge: 900, // 15 minutes\n      });\n\n      return response;\n    }\n\n    // Allow request to continue\n    return undefined;\n  };\n}\n","import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/**\n * Configuration for Next.js proxy-based auth (Next.js >=16).\n */\nexport type ProxyConfig = AuthHandlerConfig;\n\n/**\n * Create a Next.js proxy handler for authentication and authorization.\n *\n * For Next.js >=16 projects that use the `proxy.ts` file convention,\n * replacing the deprecated `middleware.ts` convention.\n *\n * @example\n * ```typescript\n * // proxy.ts (Next.js >=16)\n * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthProxy({\n *   authConfig,\n *   sessionManager,\n *   rbacEngine,\n * });\n *\n * export const config = {\n *   matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthProxy(config: ProxyConfig) {\n  return createAuthHandler(config);\n}\n"],"mappings":";AAAA,SAA2B,oBAAoB;AA8CxC,SAAS,kBAAkB,QAA2B;AAC3D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,YAAY,SAAyD;AACzF,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,aAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;AC9EO,SAAS,gBAAgB,QAAqB;AACnD,SAAO,kBAAkB,MAAM;AACjC;","names":[]}

package/dist/index.d.mts

@@ -1,40 +1,29 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { AuthConfig, SessionManager, RBACEngine, AuthSession, CookieOptions } from '@stackwright-pro/auth';
-export { AuthConfig, AuthContext, AuthContextValue, AuthProvider, AuthProviderProps, AuthSession, AuthUser, RBACEngine, useAuth, useRequireAuth } from '@stackwright-pro/auth';
+import * as next_server_js from 'next/server.js';
+import { A as AuthHandlerConfig } from './proxy-Blj2kIJp.mjs';
+export { P as ProxyConfig, c as createAuthHandler, a as createAuthProxy } from './proxy-Blj2kIJp.mjs';
 import { NextApiRequest, NextApiResponse } from 'next';
+import { AuthSession, SessionManager, RBACEngine, CookieOptions } from '@stackwright-pro/auth';
+export { AuthConfig, AuthContext, AuthContextValue, AuthProvider, AuthProviderProps, AuthSession, AuthUser, RBACEngine, useAuth, useRequireAuth } from '@stackwright-pro/auth';
+import { NextRequest, NextResponse } from 'next/server';
 
-interface MiddlewareConfig {
-    /**
-     * Auth configuration
-     */
-    authConfig: AuthConfig;
-    /**
-     * Session manager instance
-     */
-    sessionManager: SessionManager;
-    /**
-     * RBAC engine instance
-     */
-    rbacEngine: RBACEngine;
-    /**
-     * Cookie name for session (default: 'stackwright_session')
-     */
-    cookieName?: string;
-    /**
-     * URL to redirect to when authentication fails (default: '/login')
-     */
-    loginUrl?: string;
-    /**
-     * URL to redirect to when authorization fails (default: '/unauthorized')
-     */
-    unauthorizedUrl?: string;
-}
 /**
- * Create Next.js middleware for authentication and authorization
+ * Configuration for Next.js middleware-based auth (Next.js <16).
+ *
+ * @deprecated For Next.js >=16, use {@link ProxyConfig} with {@link createAuthProxy} instead.
+ * The `middleware.ts` file convention is deprecated in Next.js 16.
+ */
+type MiddlewareConfig = AuthHandlerConfig;
+/**
+ * Create Next.js middleware for authentication and authorization.
+ *
+ * For Next.js 14–15 projects that use the `middleware.ts` file convention.
+ *
+ * @deprecated For Next.js >=16, use {@link createAuthProxy} instead.
+ * The `middleware.ts` file convention is deprecated in Next.js 16 in favor of `proxy.ts`.
  *
  * @example
  * ```typescript
- * // middleware.ts
+ * // middleware.ts (Next.js 14–15)
  * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';
  *
  * export default createAuthMiddleware({
@@ -48,7 +37,7 @@ interface MiddlewareConfig {
  * };
  * ```
  */
-declare function createAuthMiddleware(config: MiddlewareConfig): (request: NextRequest) => Promise<NextResponse | undefined>;
+declare function createAuthMiddleware(config: MiddlewareConfig): (request: next_server_js.NextRequest) => Promise<next_server_js.NextResponse | undefined>;
 
 interface ProtectedRouteConfig {
     /**
@@ -204,4 +193,4 @@ declare function clearSessionCookieOnResponse(response: NextResponse, options?:
     cookieName?: string;
 }): NextResponse;
 
-export { type AuthenticatedHandler, type AuthenticatedRouteHandler, type MiddlewareConfig, type ProtectedRouteConfig, type RouteHandlerConfig, clearSessionCookie, clearSessionCookieOnResponse, createAuthMiddleware, protectedRoute, protectedRouteHandler, setSessionCookie, setSessionCookieOnResponse };
+export { AuthHandlerConfig, type AuthenticatedHandler, type AuthenticatedRouteHandler, type MiddlewareConfig, type ProtectedRouteConfig, type RouteHandlerConfig, clearSessionCookie, clearSessionCookieOnResponse, createAuthMiddleware, protectedRoute, protectedRouteHandler, setSessionCookie, setSessionCookieOnResponse };

package/dist/index.d.ts

@@ -1,40 +1,29 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { AuthConfig, SessionManager, RBACEngine, AuthSession, CookieOptions } from '@stackwright-pro/auth';
-export { AuthConfig, AuthContext, AuthContextValue, AuthProvider, AuthProviderProps, AuthSession, AuthUser, RBACEngine, useAuth, useRequireAuth } from '@stackwright-pro/auth';
+import * as next_server_js from 'next/server.js';
+import { A as AuthHandlerConfig } from './proxy-Blj2kIJp.js';
+export { P as ProxyConfig, c as createAuthHandler, a as createAuthProxy } from './proxy-Blj2kIJp.js';
 import { NextApiRequest, NextApiResponse } from 'next';
+import { AuthSession, SessionManager, RBACEngine, CookieOptions } from '@stackwright-pro/auth';
+export { AuthConfig, AuthContext, AuthContextValue, AuthProvider, AuthProviderProps, AuthSession, AuthUser, RBACEngine, useAuth, useRequireAuth } from '@stackwright-pro/auth';
+import { NextRequest, NextResponse } from 'next/server';
 
-interface MiddlewareConfig {
-    /**
-     * Auth configuration
-     */
-    authConfig: AuthConfig;
-    /**
-     * Session manager instance
-     */
-    sessionManager: SessionManager;
-    /**
-     * RBAC engine instance
-     */
-    rbacEngine: RBACEngine;
-    /**
-     * Cookie name for session (default: 'stackwright_session')
-     */
-    cookieName?: string;
-    /**
-     * URL to redirect to when authentication fails (default: '/login')
-     */
-    loginUrl?: string;
-    /**
-     * URL to redirect to when authorization fails (default: '/unauthorized')
-     */
-    unauthorizedUrl?: string;
-}
 /**
- * Create Next.js middleware for authentication and authorization
+ * Configuration for Next.js middleware-based auth (Next.js <16).
+ *
+ * @deprecated For Next.js >=16, use {@link ProxyConfig} with {@link createAuthProxy} instead.
+ * The `middleware.ts` file convention is deprecated in Next.js 16.
+ */
+type MiddlewareConfig = AuthHandlerConfig;
+/**
+ * Create Next.js middleware for authentication and authorization.
+ *
+ * For Next.js 14–15 projects that use the `middleware.ts` file convention.
+ *
+ * @deprecated For Next.js >=16, use {@link createAuthProxy} instead.
+ * The `middleware.ts` file convention is deprecated in Next.js 16 in favor of `proxy.ts`.
  *
  * @example
  * ```typescript
- * // middleware.ts
+ * // middleware.ts (Next.js 14–15)
  * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';
  *
  * export default createAuthMiddleware({
@@ -48,7 +37,7 @@ interface MiddlewareConfig {
  * };
  * ```
  */
-declare function createAuthMiddleware(config: MiddlewareConfig): (request: NextRequest) => Promise<NextResponse | undefined>;
+declare function createAuthMiddleware(config: MiddlewareConfig): (request: next_server_js.NextRequest) => Promise<next_server_js.NextResponse | undefined>;
 
 interface ProtectedRouteConfig {
     /**
@@ -204,4 +193,4 @@ declare function clearSessionCookieOnResponse(response: NextResponse, options?:
     cookieName?: string;
 }): NextResponse;
 
-export { type AuthenticatedHandler, type AuthenticatedRouteHandler, type MiddlewareConfig, type ProtectedRouteConfig, type RouteHandlerConfig, clearSessionCookie, clearSessionCookieOnResponse, createAuthMiddleware, protectedRoute, protectedRouteHandler, setSessionCookie, setSessionCookieOnResponse };
+export { AuthHandlerConfig, type AuthenticatedHandler, type AuthenticatedRouteHandler, type MiddlewareConfig, type ProtectedRouteConfig, type RouteHandlerConfig, clearSessionCookie, clearSessionCookieOnResponse, createAuthMiddleware, protectedRoute, protectedRouteHandler, setSessionCookie, setSessionCookieOnResponse };

package/dist/index.js

@@ -25,7 +25,9 @@ __export(index_exports, {
   RBACEngine: () => import_auth2.RBACEngine,
   clearSessionCookie: () => clearSessionCookie,
   clearSessionCookieOnResponse: () => clearSessionCookieOnResponse,
+  createAuthHandler: () => createAuthHandler,
   createAuthMiddleware: () => createAuthMiddleware,
+  createAuthProxy: () => createAuthProxy,
   protectedRoute: () => protectedRoute,
   protectedRouteHandler: () => protectedRouteHandler,
   setSessionCookie: () => setSessionCookie,
@@ -35,9 +37,9 @@ __export(index_exports, {
 });
 module.exports = __toCommonJS(index_exports);
 
-// src/middleware.ts
+// src/auth-handler.ts
 var import_server = require("next/server");
-function createAuthMiddleware(config) {
+function createAuthHandler(config) {
   const {
     sessionManager,
     rbacEngine,
@@ -45,7 +47,7 @@ function createAuthMiddleware(config) {
     loginUrl = "/login",
     unauthorizedUrl = "/unauthorized"
   } = config;
-  return async function authMiddleware(request) {
+  return async function authHandler(request) {
     const { pathname } = request.nextUrl;
     if (rbacEngine.isPublicRoute(pathname)) {
       return void 0;
@@ -83,6 +85,16 @@ function createAuthMiddleware(config) {
   };
 }
 
+// src/middleware.ts
+function createAuthMiddleware(config) {
+  return createAuthHandler(config);
+}
+
+// src/proxy.ts
+function createAuthProxy(config) {
+  return createAuthHandler(config);
+}
+
 // src/api-helpers.ts
 function protectedRoute(handler, config) {
   const { sessionManager, roles, permissions, cookieName = "stackwright_session" } = config;
@@ -224,7 +236,9 @@ function clearSessionCookieOnResponse(response, options = {}) {
   RBACEngine,
   clearSessionCookie,
   clearSessionCookieOnResponse,
+  createAuthHandler,
   createAuthMiddleware,
+  createAuthProxy,
   protectedRoute,
   protectedRouteHandler,
   setSessionCookie,

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/middleware.ts","../src/api-helpers.ts","../src/cookie-utils.ts","../src/route-handlers.ts"],"sourcesContent":["export { createAuthMiddleware, type MiddlewareConfig } from './middleware.js';\nexport {\n  protectedRoute,\n  type ProtectedRouteConfig,\n  type AuthenticatedHandler,\n} from './api-helpers.js';\nexport { setSessionCookie, clearSessionCookie } from './cookie-utils.js';\n\n// Re-export commonly used types/classes from core\nexport type { AuthUser, AuthSession, AuthConfig } from '@stackwright-pro/auth';\n\n// Re-export RBAC engine\nexport { RBACEngine } from '@stackwright-pro/auth';\n\n// Re-export React context components for Next.js apps\nexport { AuthProvider, AuthContext, useAuth, useRequireAuth } from '@stackwright-pro/auth';\nexport type { AuthProviderProps, AuthContextValue } from '@stackwright-pro/auth';\n\n// App Router Route Handler helpers (replaces api-helpers for App Router users)\nexport {\n  protectedRouteHandler,\n  setSessionCookieOnResponse,\n  clearSessionCookieOnResponse,\n  type RouteHandlerConfig,\n  type AuthenticatedRouteHandler,\n} from './route-handlers.js';\n","import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  SessionManager,\n  RBACEngine,\n  type AuthConfig,\n  type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface MiddlewareConfig {\n  /**\n   * Auth configuration\n   */\n  authConfig: AuthConfig;\n\n  /**\n   * Session manager instance\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * RBAC engine instance\n   */\n  rbacEngine: RBACEngine;\n\n  /**\n   * Cookie name for session (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * URL to redirect to when authentication fails (default: '/login')\n   */\n  loginUrl?: string;\n\n  /**\n   * URL to redirect to when authorization fails (default: '/unauthorized')\n   */\n  unauthorizedUrl?: string;\n}\n\n/**\n * Create Next.js middleware for authentication and authorization\n *\n * @example\n * ```typescript\n * // middleware.ts\n * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthMiddleware({\n *   authConfig,\n *   sessionManager,\n *   rbacEngine,\n * });\n *\n * export const config = {\n *   matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthMiddleware(config: MiddlewareConfig) {\n  const {\n    sessionManager,\n    rbacEngine,\n    cookieName = 'stackwright_session',\n    loginUrl = '/login',\n    unauthorizedUrl = '/unauthorized',\n  } = config;\n\n  return async function authMiddleware(request: NextRequest): Promise<NextResponse | undefined> {\n    const { pathname } = request.nextUrl;\n\n    // Check if route is public\n    if (rbacEngine.isPublicRoute(pathname)) {\n      return undefined; // Continue to next middleware\n    }\n\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n    let session: AuthSession | null = null;\n\n    if (sessionCookie) {\n      session = await sessionManager.deserialize(sessionCookie.value);\n    }\n\n    // Check if session is valid\n    if (!session || sessionManager.isExpired(session)) {\n      // Redirect to login\n      const url = request.nextUrl.clone();\n      url.pathname = loginUrl;\n      url.searchParams.set('redirect', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    // Check if user can access route\n    if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n      // Redirect to unauthorized\n      const url = request.nextUrl.clone();\n      url.pathname = unauthorizedUrl;\n      return NextResponse.redirect(url);\n    }\n\n    // Refresh session if needed\n    if (sessionManager.shouldRefresh(session)) {\n      const refreshed = await sessionManager.refreshSession(session);\n      const newJwt = await sessionManager.serialize(refreshed);\n\n      const response = NextResponse.next();\n      response.cookies.set(cookieName, newJwt, {\n        httpOnly: true,\n        secure: true,\n        sameSite: 'lax',\n        maxAge: 900, // 15 minutes\n      });\n\n      return response;\n    }\n\n    // Allow request to continue\n    return undefined;\n  };\n}\n","import type { NextApiRequest, NextApiResponse } from 'next';\nimport { SessionManager, RBACEngine, type AuthSession, type AuthUser } from '@stackwright-pro/auth';\n\nexport interface ProtectedRouteConfig {\n  /**\n   * Session manager for validating sessions\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * Required roles (user must have ANY of these)\n   */\n  roles?: string[];\n\n  /**\n   * Required permissions (user must have ALL of these)\n   */\n  permissions?: string[];\n\n  /**\n   * Cookie name (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * Optional RBAC engine for wildcard-aware role/permission checking.\n   * When provided, authorization decisions use RBACEngine (consistent\n   * with middleware). Without it, falls back to direct array checks.\n   */\n  rbacEngine?: RBACEngine;\n}\n\n/**\n * Handler function with authenticated session\n */\nexport type AuthenticatedHandler<T = any> = (\n  req: NextApiRequest,\n  res: NextApiResponse<T>,\n  session: AuthSession\n) => void | Promise<void>;\n\n/**\n * Wrap API route with authentication/authorization\n *\n * @example\n * ```typescript\n * // pages/api/equipment/[id].ts\n * export default protectedRoute(\n *   async (req, res, session) => {\n *     const equipment = await getEquipment(req.query.id);\n *     res.json(equipment);\n *   },\n *   {\n *     sessionManager,\n *     roles: ['ANALYST', 'ADMIN'],\n *   }\n * );\n * ```\n */\nexport function protectedRoute<T = any>(\n  handler: AuthenticatedHandler<T>,\n  config: ProtectedRouteConfig\n): (req: NextApiRequest, res: NextApiResponse) => Promise<void> {\n  const { sessionManager, roles, permissions, cookieName = 'stackwright_session' } = config;\n\n  return async (req: NextApiRequest, res: NextApiResponse) => {\n    // Extract session from cookie\n    const sessionCookie = req.cookies[cookieName];\n\n    if (!sessionCookie) {\n      res.status(401).json({ error: 'Not authenticated' } as any);\n      return;\n    }\n\n    // Verify session\n    const session = await sessionManager.deserialize(sessionCookie);\n\n    if (!session || sessionManager.isExpired(session)) {\n      res.status(401).json({ error: 'Session expired' } as any);\n      return;\n    }\n\n    // Check roles\n    if (roles && roles.length > 0) {\n      if (config.rbacEngine) {\n        // Use RBAC engine for consistent wildcard-aware checking\n        if (!config.rbacEngine.hasAnyRole(session.user, roles)) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      } else {\n        // Fallback: direct check (no wildcard support)\n        const hasRole = roles.some((role) => session.user.roles.includes(role));\n        if (!hasRole) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      }\n    }\n\n    // Check permissions\n    if (permissions && permissions.length > 0) {\n      if (config.rbacEngine) {\n        // Use RBAC engine for wildcard-aware permission checking\n        if (!config.rbacEngine.hasAllPermissions(session.user, permissions)) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      } else {\n        // Fallback: direct check (no wildcard support)\n        const hasAllPermissions = permissions.every((permission) =>\n          session.user.permissions?.includes(permission)\n        );\n        if (!hasAllPermissions) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      }\n    }\n\n    // Call handler with session\n    await handler(req, res, session);\n  };\n}\n","import type { NextApiResponse } from 'next';\nimport { serializeCookie, clearCookie, type CookieOptions } from '@stackwright-pro/auth';\n\n/**\n * Set session cookie in Next.js API response\n */\nexport function setSessionCookie(\n  res: NextApiResponse,\n  sessionJwt: string,\n  options: CookieOptions = {}\n): void {\n  const cookieName = options.name || 'stackwright_session';\n  const maxAge = options.maxAge || 900; // 15 minutes default\n\n  const cookie = serializeCookie(cookieName, sessionJwt, {\n    ...options,\n    maxAge,\n    httpOnly: true,\n    secure: true,\n    sameSite: 'lax',\n  });\n\n  res.setHeader('Set-Cookie', cookie);\n}\n\n/**\n * Clear session cookie in Next.js API response\n */\nexport function clearSessionCookie(\n  res: NextApiResponse,\n  options: Pick<CookieOptions, 'name' | 'domain' | 'path'> = {}\n): void {\n  const cookieName = options.name || 'stackwright_session';\n\n  const cookie = clearCookie(cookieName, options);\n\n  res.setHeader('Set-Cookie', cookie);\n}\n","import { type NextRequest, NextResponse } from 'next/server';\nimport { SessionManager, RBACEngine, type AuthSession } from '@stackwright-pro/auth';\n\nexport interface RouteHandlerConfig {\n  /**\n   * Session manager for validating sessions\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * Required roles (user must have ANY of these)\n   */\n  roles?: string[];\n\n  /**\n   * Required permissions (user must have ALL of these)\n   */\n  permissions?: string[];\n\n  /**\n   * Cookie name (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * Optional RBAC engine for wildcard-aware role/permission checking.\n   * When provided, authorization decisions use RBACEngine (consistent\n   * with middleware). Without it, falls back to direct array checks.\n   */\n  rbacEngine?: RBACEngine;\n}\n\n/**\n * Handler function with authenticated session — App Router Route Handler signature.\n */\nexport type AuthenticatedRouteHandler = (\n  request: NextRequest,\n  context: { params: Record<string, string> },\n  session: AuthSession\n) => Promise<Response> | Response;\n\n/**\n * Wrap an App Router Route Handler with authentication/authorization.\n *\n * This is the App Router equivalent of `protectedRoute()` from `api-helpers.ts`.\n *\n * @example\n * ```typescript\n * // app/api/equipment/[id]/route.ts\n * import { protectedRouteHandler } from '@stackwright-pro/auth-nextjs';\n *\n * export const GET = protectedRouteHandler(\n *   async (request, { params }, session) => {\n *     const equipment = await getEquipment(params.id);\n *     return NextResponse.json(equipment);\n *   },\n *   {\n *     sessionManager,\n *     roles: ['ANALYST', 'ADMIN'],\n *   }\n * );\n * ```\n */\nexport function protectedRouteHandler(\n  handler: AuthenticatedRouteHandler,\n  config: RouteHandlerConfig\n): (request: NextRequest, context: { params: Record<string, string> }) => Promise<Response> {\n  const {\n    sessionManager,\n    roles,\n    permissions,\n    cookieName = 'stackwright_session',\n    rbacEngine,\n  } = config;\n\n  return async (\n    request: NextRequest,\n    context: { params: Record<string, string> }\n  ): Promise<Response> => {\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n\n    if (!sessionCookie) {\n      return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });\n    }\n\n    // Verify session\n    const session = await sessionManager.deserialize(sessionCookie.value);\n\n    if (!session || sessionManager.isExpired(session)) {\n      return NextResponse.json({ error: 'Session expired' }, { status: 401 });\n    }\n\n    // Check roles\n    if (roles && roles.length > 0) {\n      if (rbacEngine) {\n        if (!rbacEngine.hasAnyRole(session.user, roles)) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      } else {\n        const hasRole = roles.some((role) => session.user.roles.includes(role));\n        if (!hasRole) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      }\n    }\n\n    // Check permissions\n    if (permissions && permissions.length > 0) {\n      if (rbacEngine) {\n        if (!rbacEngine.hasAllPermissions(session.user, permissions)) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      } else {\n        const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));\n        if (!hasAllPermissions) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      }\n    }\n\n    return handler(request, context, session);\n  };\n}\n\n/**\n * Set the session cookie on a `NextResponse` (App Router).\n *\n * This is the App Router equivalent of `setSessionCookie()` from `cookie-utils.ts`.\n *\n * @example\n * ```typescript\n * // app/api/auth/login/route.ts\n * import { setSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n *\n * export async function POST(request: NextRequest) {\n *   const session = await createSession(request);\n *   const jwt = await sessionManager.serialize(session);\n *   const response = NextResponse.json({ ok: true });\n *   return setSessionCookieOnResponse(response, jwt);\n * }\n * ```\n */\nexport function setSessionCookieOnResponse(\n  response: NextResponse,\n  sessionJwt: string,\n  options: {\n    cookieName?: string;\n    maxAge?: number;\n  } = {}\n): NextResponse {\n  const cookieName = options.cookieName ?? 'stackwright_session';\n  const maxAge = options.maxAge ?? 900; // 15 minutes\n\n  response.cookies.set(cookieName, sessionJwt, {\n    httpOnly: true,\n    secure: true,\n    sameSite: 'lax',\n    maxAge,\n  });\n\n  return response;\n}\n\n/**\n * Clear the session cookie on a `NextResponse` (App Router).\n *\n * This is the App Router equivalent of `clearSessionCookie()` from `cookie-utils.ts`.\n *\n * @example\n * ```typescript\n * // app/api/auth/logout/route.ts\n * import { clearSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n *\n * export async function POST() {\n *   const response = NextResponse.json({ ok: true });\n *   return clearSessionCookieOnResponse(response);\n * }\n * ```\n */\nexport function clearSessionCookieOnResponse(\n  response: NextResponse,\n  options: {\n    cookieName?: string;\n  } = {}\n): NextResponse {\n  const cookieName = options.cookieName ?? 'stackwright_session';\n  response.cookies.delete(cookieName);\n  return response;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAA+C;AA2DxC,SAAS,qBAAqB,QAA0B;AAC7D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,eAAe,SAAyD;AAC5F,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,2BAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;AC7DO,SAAS,eACd,SACA,QAC8D;AAC9D,QAAM,EAAE,gBAAgB,OAAO,aAAa,aAAa,sBAAsB,IAAI;AAEnF,SAAO,OAAO,KAAqB,QAAyB;AAE1D,UAAM,gBAAgB,IAAI,QAAQ,UAAU;AAE5C,QAAI,CAAC,eAAe;AAClB,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAQ;AAC1D;AAAA,IACF;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,aAAa;AAE9D,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAQ;AACxD;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AACtD,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AACnE,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,oBAAoB,YAAY;AAAA,UAAM,CAAC,eAC3C,QAAQ,KAAK,aAAa,SAAS,UAAU;AAAA,QAC/C;AACA,YAAI,CAAC,mBAAmB;AACtB,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,KAAK,KAAK,OAAO;AAAA,EACjC;AACF;;;AC1HA,kBAAiE;AAK1D,SAAS,iBACd,KACA,YACA,UAAyB,CAAC,GACpB;AACN,QAAM,aAAa,QAAQ,QAAQ;AACnC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,aAAS,6BAAgB,YAAY,YAAY;AAAA,IACrD,GAAG;AAAA,IACH;AAAA,IACA,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,UAAU,cAAc,MAAM;AACpC;AAKO,SAAS,mBACd,KACA,UAA2D,CAAC,GACtD;AACN,QAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAM,aAAS,yBAAY,YAAY,OAAO;AAE9C,MAAI,UAAU,cAAc,MAAM;AACpC;;;AHzBA,IAAAA,eAA2B;AAG3B,IAAAA,eAAmE;;;AIfnE,IAAAC,iBAA+C;AA+DxC,SAAS,sBACd,SACA,QAC0F;AAC1F,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,EACF,IAAI;AAEJ,SAAO,OACL,SACA,YACsB;AAEtB,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AAEpD,QAAI,CAAC,eAAe;AAClB,aAAO,4BAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAEpE,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,aAAO,4BAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACxE;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AAC/C,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AAC5D,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,oBAAoB,YAAY,MAAM,CAAC,MAAM,QAAQ,KAAK,aAAa,SAAS,CAAC,CAAC;AACxF,YAAI,CAAC,mBAAmB;AACtB,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,QAAQ,SAAS,SAAS,OAAO;AAAA,EAC1C;AACF;AAoBO,SAAS,2BACd,UACA,YACA,UAGI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,QAAM,SAAS,QAAQ,UAAU;AAEjC,WAAS,QAAQ,IAAI,YAAY,YAAY;AAAA,IAC3C,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AAED,SAAO;AACT;AAkBO,SAAS,6BACd,UACA,UAEI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,WAAS,QAAQ,OAAO,UAAU;AAClC,SAAO;AACT;","names":["import_auth","import_server"]}
+{"version":3,"sources":["../src/index.ts","../src/auth-handler.ts","../src/middleware.ts","../src/proxy.ts","../src/api-helpers.ts","../src/cookie-utils.ts","../src/route-handlers.ts"],"sourcesContent":["export { createAuthMiddleware, type MiddlewareConfig } from './middleware.js';\nexport { createAuthProxy, type ProxyConfig } from './proxy.js';\nexport { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\nexport {\n  protectedRoute,\n  type ProtectedRouteConfig,\n  type AuthenticatedHandler,\n} from './api-helpers.js';\nexport { setSessionCookie, clearSessionCookie } from './cookie-utils.js';\n\n// Re-export commonly used types/classes from core\nexport type { AuthUser, AuthSession, AuthConfig } from '@stackwright-pro/auth';\n\n// Re-export RBAC engine\nexport { RBACEngine } from '@stackwright-pro/auth';\n\n// Re-export React context components for Next.js apps\nexport { AuthProvider, AuthContext, useAuth, useRequireAuth } from '@stackwright-pro/auth';\nexport type { AuthProviderProps, AuthContextValue } from '@stackwright-pro/auth';\n\n// App Router Route Handler helpers (replaces api-helpers for App Router users)\nexport {\n  protectedRouteHandler,\n  setSessionCookieOnResponse,\n  clearSessionCookieOnResponse,\n  type RouteHandlerConfig,\n  type AuthenticatedRouteHandler,\n} from './route-handlers.js';\n","import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  SessionManager,\n  RBACEngine,\n  type AuthConfig,\n  type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface AuthHandlerConfig {\n  /**\n   * Auth configuration\n   */\n  authConfig: AuthConfig;\n\n  /**\n   * Session manager instance\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * RBAC engine instance\n   */\n  rbacEngine: RBACEngine;\n\n  /**\n   * Cookie name for session (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * URL to redirect to when authentication fails (default: '/login')\n   */\n  loginUrl?: string;\n\n  /**\n   * URL to redirect to when authorization fails (default: '/unauthorized')\n   */\n  unauthorizedUrl?: string;\n}\n\n/**\n * Core auth handler shared by both the middleware (Next.js <16) and\n * proxy (Next.js >=16) conventions.\n *\n * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.\n */\nexport function createAuthHandler(config: AuthHandlerConfig) {\n  const {\n    sessionManager,\n    rbacEngine,\n    cookieName = 'stackwright_session',\n    loginUrl = '/login',\n    unauthorizedUrl = '/unauthorized',\n  } = config;\n\n  return async function authHandler(request: NextRequest): Promise<NextResponse | undefined> {\n    const { pathname } = request.nextUrl;\n\n    // Check if route is public\n    if (rbacEngine.isPublicRoute(pathname)) {\n      return undefined; // Continue to next handler\n    }\n\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n    let session: AuthSession | null = null;\n\n    if (sessionCookie) {\n      session = await sessionManager.deserialize(sessionCookie.value);\n    }\n\n    // Check if session is valid\n    if (!session || sessionManager.isExpired(session)) {\n      // Redirect to login\n      const url = request.nextUrl.clone();\n      url.pathname = loginUrl;\n      url.searchParams.set('redirect', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    // Check if user can access route\n    if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n      // Redirect to unauthorized\n      const url = request.nextUrl.clone();\n      url.pathname = unauthorizedUrl;\n      return NextResponse.redirect(url);\n    }\n\n    // Refresh session if needed\n    if (sessionManager.shouldRefresh(session)) {\n      const refreshed = await sessionManager.refreshSession(session);\n      const newJwt = await sessionManager.serialize(refreshed);\n\n      const response = NextResponse.next();\n      response.cookies.set(cookieName, newJwt, {\n        httpOnly: true,\n        secure: true,\n        sameSite: 'lax',\n        maxAge: 900, // 15 minutes\n      });\n\n      return response;\n    }\n\n    // Allow request to continue\n    return undefined;\n  };\n}\n","import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/**\n * Configuration for Next.js middleware-based auth (Next.js <16).\n *\n * @deprecated For Next.js >=16, use {@link ProxyConfig} with {@link createAuthProxy} instead.\n * The `middleware.ts` file convention is deprecated in Next.js 16.\n */\nexport type MiddlewareConfig = AuthHandlerConfig;\n\n/**\n * Create Next.js middleware for authentication and authorization.\n *\n * For Next.js 14–15 projects that use the `middleware.ts` file convention.\n *\n * @deprecated For Next.js >=16, use {@link createAuthProxy} instead.\n * The `middleware.ts` file convention is deprecated in Next.js 16 in favor of `proxy.ts`.\n *\n * @example\n * ```typescript\n * // middleware.ts (Next.js 14–15)\n * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthMiddleware({\n *   authConfig,\n *   sessionManager,\n *   rbacEngine,\n * });\n *\n * export const config = {\n *   matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthMiddleware(config: MiddlewareConfig) {\n  return createAuthHandler(config);\n}\n","import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/**\n * Configuration for Next.js proxy-based auth (Next.js >=16).\n */\nexport type ProxyConfig = AuthHandlerConfig;\n\n/**\n * Create a Next.js proxy handler for authentication and authorization.\n *\n * For Next.js >=16 projects that use the `proxy.ts` file convention,\n * replacing the deprecated `middleware.ts` convention.\n *\n * @example\n * ```typescript\n * // proxy.ts (Next.js >=16)\n * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthProxy({\n *   authConfig,\n *   sessionManager,\n *   rbacEngine,\n * });\n *\n * export const config = {\n *   matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthProxy(config: ProxyConfig) {\n  return createAuthHandler(config);\n}\n","import type { NextApiRequest, NextApiResponse } from 'next';\nimport { SessionManager, RBACEngine, type AuthSession, type AuthUser } from '@stackwright-pro/auth';\n\nexport interface ProtectedRouteConfig {\n  /**\n   * Session manager for validating sessions\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * Required roles (user must have ANY of these)\n   */\n  roles?: string[];\n\n  /**\n   * Required permissions (user must have ALL of these)\n   */\n  permissions?: string[];\n\n  /**\n   * Cookie name (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * Optional RBAC engine for wildcard-aware role/permission checking.\n   * When provided, authorization decisions use RBACEngine (consistent\n   * with middleware). Without it, falls back to direct array checks.\n   */\n  rbacEngine?: RBACEngine;\n}\n\n/**\n * Handler function with authenticated session\n */\nexport type AuthenticatedHandler<T = any> = (\n  req: NextApiRequest,\n  res: NextApiResponse<T>,\n  session: AuthSession\n) => void | Promise<void>;\n\n/**\n * Wrap API route with authentication/authorization\n *\n * @example\n * ```typescript\n * // pages/api/equipment/[id].ts\n * export default protectedRoute(\n *   async (req, res, session) => {\n *     const equipment = await getEquipment(req.query.id);\n *     res.json(equipment);\n *   },\n *   {\n *     sessionManager,\n *     roles: ['ANALYST', 'ADMIN'],\n *   }\n * );\n * ```\n */\nexport function protectedRoute<T = any>(\n  handler: AuthenticatedHandler<T>,\n  config: ProtectedRouteConfig\n): (req: NextApiRequest, res: NextApiResponse) => Promise<void> {\n  const { sessionManager, roles, permissions, cookieName = 'stackwright_session' } = config;\n\n  return async (req: NextApiRequest, res: NextApiResponse) => {\n    // Extract session from cookie\n    const sessionCookie = req.cookies[cookieName];\n\n    if (!sessionCookie) {\n      res.status(401).json({ error: 'Not authenticated' } as any);\n      return;\n    }\n\n    // Verify session\n    const session = await sessionManager.deserialize(sessionCookie);\n\n    if (!session || sessionManager.isExpired(session)) {\n      res.status(401).json({ error: 'Session expired' } as any);\n      return;\n    }\n\n    // Check roles\n    if (roles && roles.length > 0) {\n      if (config.rbacEngine) {\n        // Use RBAC engine for consistent wildcard-aware checking\n        if (!config.rbacEngine.hasAnyRole(session.user, roles)) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      } else {\n        // Fallback: direct check (no wildcard support)\n        const hasRole = roles.some((role) => session.user.roles.includes(role));\n        if (!hasRole) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      }\n    }\n\n    // Check permissions\n    if (permissions && permissions.length > 0) {\n      if (config.rbacEngine) {\n        // Use RBAC engine for wildcard-aware permission checking\n        if (!config.rbacEngine.hasAllPermissions(session.user, permissions)) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      } else {\n        // Fallback: direct check (no wildcard support)\n        const hasAllPermissions = permissions.every((permission) =>\n          session.user.permissions?.includes(permission)\n        );\n        if (!hasAllPermissions) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      }\n    }\n\n    // Call handler with session\n    await handler(req, res, session);\n  };\n}\n","import type { NextApiResponse } from 'next';\nimport { serializeCookie, clearCookie, type CookieOptions } from '@stackwright-pro/auth';\n\n/**\n * Set session cookie in Next.js API response\n */\nexport function setSessionCookie(\n  res: NextApiResponse,\n  sessionJwt: string,\n  options: CookieOptions = {}\n): void {\n  const cookieName = options.name || 'stackwright_session';\n  const maxAge = options.maxAge || 900; // 15 minutes default\n\n  const cookie = serializeCookie(cookieName, sessionJwt, {\n    ...options,\n    maxAge,\n    httpOnly: true,\n    secure: true,\n    sameSite: 'lax',\n  });\n\n  res.setHeader('Set-Cookie', cookie);\n}\n\n/**\n * Clear session cookie in Next.js API response\n */\nexport function clearSessionCookie(\n  res: NextApiResponse,\n  options: Pick<CookieOptions, 'name' | 'domain' | 'path'> = {}\n): void {\n  const cookieName = options.name || 'stackwright_session';\n\n  const cookie = clearCookie(cookieName, options);\n\n  res.setHeader('Set-Cookie', cookie);\n}\n","import { type NextRequest, NextResponse } from 'next/server';\nimport { SessionManager, RBACEngine, type AuthSession } from '@stackwright-pro/auth';\n\nexport interface RouteHandlerConfig {\n  /**\n   * Session manager for validating sessions\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * Required roles (user must have ANY of these)\n   */\n  roles?: string[];\n\n  /**\n   * Required permissions (user must have ALL of these)\n   */\n  permissions?: string[];\n\n  /**\n   * Cookie name (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * Optional RBAC engine for wildcard-aware role/permission checking.\n   * When provided, authorization decisions use RBACEngine (consistent\n   * with middleware). Without it, falls back to direct array checks.\n   */\n  rbacEngine?: RBACEngine;\n}\n\n/**\n * Handler function with authenticated session — App Router Route Handler signature.\n */\nexport type AuthenticatedRouteHandler = (\n  request: NextRequest,\n  context: { params: Record<string, string> },\n  session: AuthSession\n) => Promise<Response> | Response;\n\n/**\n * Wrap an App Router Route Handler with authentication/authorization.\n *\n * This is the App Router equivalent of `protectedRoute()` from `api-helpers.ts`.\n *\n * @example\n * ```typescript\n * // app/api/equipment/[id]/route.ts\n * import { protectedRouteHandler } from '@stackwright-pro/auth-nextjs';\n *\n * export const GET = protectedRouteHandler(\n *   async (request, { params }, session) => {\n *     const equipment = await getEquipment(params.id);\n *     return NextResponse.json(equipment);\n *   },\n *   {\n *     sessionManager,\n *     roles: ['ANALYST', 'ADMIN'],\n *   }\n * );\n * ```\n */\nexport function protectedRouteHandler(\n  handler: AuthenticatedRouteHandler,\n  config: RouteHandlerConfig\n): (request: NextRequest, context: { params: Record<string, string> }) => Promise<Response> {\n  const {\n    sessionManager,\n    roles,\n    permissions,\n    cookieName = 'stackwright_session',\n    rbacEngine,\n  } = config;\n\n  return async (\n    request: NextRequest,\n    context: { params: Record<string, string> }\n  ): Promise<Response> => {\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n\n    if (!sessionCookie) {\n      return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });\n    }\n\n    // Verify session\n    const session = await sessionManager.deserialize(sessionCookie.value);\n\n    if (!session || sessionManager.isExpired(session)) {\n      return NextResponse.json({ error: 'Session expired' }, { status: 401 });\n    }\n\n    // Check roles\n    if (roles && roles.length > 0) {\n      if (rbacEngine) {\n        if (!rbacEngine.hasAnyRole(session.user, roles)) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      } else {\n        const hasRole = roles.some((role) => session.user.roles.includes(role));\n        if (!hasRole) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      }\n    }\n\n    // Check permissions\n    if (permissions && permissions.length > 0) {\n      if (rbacEngine) {\n        if (!rbacEngine.hasAllPermissions(session.user, permissions)) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      } else {\n        const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));\n        if (!hasAllPermissions) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      }\n    }\n\n    return handler(request, context, session);\n  };\n}\n\n/**\n * Set the session cookie on a `NextResponse` (App Router).\n *\n * This is the App Router equivalent of `setSessionCookie()` from `cookie-utils.ts`.\n *\n * @example\n * ```typescript\n * // app/api/auth/login/route.ts\n * import { setSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n *\n * export async function POST(request: NextRequest) {\n *   const session = await createSession(request);\n *   const jwt = await sessionManager.serialize(session);\n *   const response = NextResponse.json({ ok: true });\n *   return setSessionCookieOnResponse(response, jwt);\n * }\n * ```\n */\nexport function setSessionCookieOnResponse(\n  response: NextResponse,\n  sessionJwt: string,\n  options: {\n    cookieName?: string;\n    maxAge?: number;\n  } = {}\n): NextResponse {\n  const cookieName = options.cookieName ?? 'stackwright_session';\n  const maxAge = options.maxAge ?? 900; // 15 minutes\n\n  response.cookies.set(cookieName, sessionJwt, {\n    httpOnly: true,\n    secure: true,\n    sameSite: 'lax',\n    maxAge,\n  });\n\n  return response;\n}\n\n/**\n * Clear the session cookie on a `NextResponse` (App Router).\n *\n * This is the App Router equivalent of `clearSessionCookie()` from `cookie-utils.ts`.\n *\n * @example\n * ```typescript\n * // app/api/auth/logout/route.ts\n * import { clearSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n *\n * export async function POST() {\n *   const response = NextResponse.json({ ok: true });\n *   return clearSessionCookieOnResponse(response);\n * }\n * ```\n */\nexport function clearSessionCookieOnResponse(\n  response: NextResponse,\n  options: {\n    cookieName?: string;\n  } = {}\n): NextResponse {\n  const cookieName = options.cookieName ?? 'stackwright_session';\n  response.cookies.delete(cookieName);\n  return response;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAA+C;AA8CxC,SAAS,kBAAkB,QAA2B;AAC3D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,YAAY,SAAyD;AACzF,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,2BAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;ACzEO,SAAS,qBAAqB,QAA0B;AAC7D,SAAO,kBAAkB,MAAM;AACjC;;;ACPO,SAAS,gBAAgB,QAAqB;AACnD,SAAO,kBAAkB,MAAM;AACjC;;;AC4BO,SAAS,eACd,SACA,QAC8D;AAC9D,QAAM,EAAE,gBAAgB,OAAO,aAAa,aAAa,sBAAsB,IAAI;AAEnF,SAAO,OAAO,KAAqB,QAAyB;AAE1D,UAAM,gBAAgB,IAAI,QAAQ,UAAU;AAE5C,QAAI,CAAC,eAAe;AAClB,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAQ;AAC1D;AAAA,IACF;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,aAAa;AAE9D,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAQ;AACxD;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AACtD,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AACnE,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,oBAAoB,YAAY;AAAA,UAAM,CAAC,eAC3C,QAAQ,KAAK,aAAa,SAAS,UAAU;AAAA,QAC/C;AACA,YAAI,CAAC,mBAAmB;AACtB,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,KAAK,KAAK,OAAO;AAAA,EACjC;AACF;;;AC1HA,kBAAiE;AAK1D,SAAS,iBACd,KACA,YACA,UAAyB,CAAC,GACpB;AACN,QAAM,aAAa,QAAQ,QAAQ;AACnC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,aAAS,6BAAgB,YAAY,YAAY;AAAA,IACrD,GAAG;AAAA,IACH;AAAA,IACA,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,UAAU,cAAc,MAAM;AACpC;AAKO,SAAS,mBACd,KACA,UAA2D,CAAC,GACtD;AACN,QAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAM,aAAS,yBAAY,YAAY,OAAO;AAE9C,MAAI,UAAU,cAAc,MAAM;AACpC;;;ALvBA,IAAAA,eAA2B;AAG3B,IAAAA,eAAmE;;;AMjBnE,IAAAC,iBAA+C;AA+DxC,SAAS,sBACd,SACA,QAC0F;AAC1F,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,EACF,IAAI;AAEJ,SAAO,OACL,SACA,YACsB;AAEtB,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AAEpD,QAAI,CAAC,eAAe;AAClB,aAAO,4BAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAEpE,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,aAAO,4BAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACxE;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AAC/C,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AAC5D,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,oBAAoB,YAAY,MAAM,CAAC,MAAM,QAAQ,KAAK,aAAa,SAAS,CAAC,CAAC;AACxF,YAAI,CAAC,mBAAmB;AACtB,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,QAAQ,SAAS,SAAS,OAAO;AAAA,EAC1C;AACF;AAoBO,SAAS,2BACd,UACA,YACA,UAGI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,QAAM,SAAS,QAAQ,UAAU;AAEjC,WAAS,QAAQ,IAAI,YAAY,YAAY;AAAA,IAC3C,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AAED,SAAO;AACT;AAkBO,SAAS,6BACd,UACA,UAEI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,WAAS,QAAQ,OAAO,UAAU;AAClC,SAAO;AACT;","names":["import_auth","import_server"]}

package/dist/index.mjs

@@ -1,49 +1,11 @@
+import {
+  createAuthHandler,
+  createAuthProxy
+} from "./chunk-MFZSH4YL.mjs";
+
 // src/middleware.ts
-import { NextResponse } from "next/server";
 function createAuthMiddleware(config) {
-  const {
-    sessionManager,
-    rbacEngine,
-    cookieName = "stackwright_session",
-    loginUrl = "/login",
-    unauthorizedUrl = "/unauthorized"
-  } = config;
-  return async function authMiddleware(request) {
-    const { pathname } = request.nextUrl;
-    if (rbacEngine.isPublicRoute(pathname)) {
-      return void 0;
-    }
-    const sessionCookie = request.cookies.get(cookieName);
-    let session = null;
-    if (sessionCookie) {
-      session = await sessionManager.deserialize(sessionCookie.value);
-    }
-    if (!session || sessionManager.isExpired(session)) {
-      const url = request.nextUrl.clone();
-      url.pathname = loginUrl;
-      url.searchParams.set("redirect", pathname);
-      return NextResponse.redirect(url);
-    }
-    if (!rbacEngine.canAccessRoute(session.user, pathname)) {
-      const url = request.nextUrl.clone();
-      url.pathname = unauthorizedUrl;
-      return NextResponse.redirect(url);
-    }
-    if (sessionManager.shouldRefresh(session)) {
-      const refreshed = await sessionManager.refreshSession(session);
-      const newJwt = await sessionManager.serialize(refreshed);
-      const response = NextResponse.next();
-      response.cookies.set(cookieName, newJwt, {
-        httpOnly: true,
-        secure: true,
-        sameSite: "lax",
-        maxAge: 900
-        // 15 minutes
-      });
-      return response;
-    }
-    return void 0;
-  };
+  return createAuthHandler(config);
 }
 
 // src/api-helpers.ts
@@ -119,7 +81,7 @@ import { RBACEngine } from "@stackwright-pro/auth";
 import { AuthProvider, AuthContext, useAuth, useRequireAuth } from "@stackwright-pro/auth";
 
 // src/route-handlers.ts
-import { NextResponse as NextResponse2 } from "next/server";
+import { NextResponse } from "next/server";
 function protectedRouteHandler(handler, config) {
   const {
     sessionManager,
@@ -131,33 +93,33 @@ function protectedRouteHandler(handler, config) {
   return async (request, context) => {
     const sessionCookie = request.cookies.get(cookieName);
     if (!sessionCookie) {
-      return NextResponse2.json({ error: "Not authenticated" }, { status: 401 });
+      return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
     }
     const session = await sessionManager.deserialize(sessionCookie.value);
     if (!session || sessionManager.isExpired(session)) {
-      return NextResponse2.json({ error: "Session expired" }, { status: 401 });
+      return NextResponse.json({ error: "Session expired" }, { status: 401 });
     }
     if (roles && roles.length > 0) {
       if (rbacEngine) {
         if (!rbacEngine.hasAnyRole(session.user, roles)) {
-          return NextResponse2.json({ error: "Insufficient permissions" }, { status: 403 });
+          return NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
         }
       } else {
         const hasRole = roles.some((role) => session.user.roles.includes(role));
         if (!hasRole) {
-          return NextResponse2.json({ error: "Insufficient permissions" }, { status: 403 });
+          return NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
         }
       }
     }
     if (permissions && permissions.length > 0) {
       if (rbacEngine) {
         if (!rbacEngine.hasAllPermissions(session.user, permissions)) {
-          return NextResponse2.json({ error: "Insufficient permissions" }, { status: 403 });
+          return NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
         }
       } else {
         const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));
         if (!hasAllPermissions) {
-          return NextResponse2.json({ error: "Insufficient permissions" }, { status: 403 });
+          return NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
         }
       }
     }
@@ -186,7 +148,9 @@ export {
   RBACEngine,
   clearSessionCookie,
   clearSessionCookieOnResponse,
+  createAuthHandler,
   createAuthMiddleware,
+  createAuthProxy,
   protectedRoute,
   protectedRouteHandler,
   setSessionCookie,

package/dist/index.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/middleware.ts","../src/api-helpers.ts","../src/cookie-utils.ts","../src/index.ts","../src/route-handlers.ts"],"sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  SessionManager,\n  RBACEngine,\n  type AuthConfig,\n  type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface MiddlewareConfig {\n  /**\n   * Auth configuration\n   */\n  authConfig: AuthConfig;\n\n  /**\n   * Session manager instance\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * RBAC engine instance\n   */\n  rbacEngine: RBACEngine;\n\n  /**\n   * Cookie name for session (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * URL to redirect to when authentication fails (default: '/login')\n   */\n  loginUrl?: string;\n\n  /**\n   * URL to redirect to when authorization fails (default: '/unauthorized')\n   */\n  unauthorizedUrl?: string;\n}\n\n/**\n * Create Next.js middleware for authentication and authorization\n *\n * @example\n * ```typescript\n * // middleware.ts\n * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthMiddleware({\n *   authConfig,\n *   sessionManager,\n *   rbacEngine,\n * });\n *\n * export const config = {\n *   matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthMiddleware(config: MiddlewareConfig) {\n  const {\n    sessionManager,\n    rbacEngine,\n    cookieName = 'stackwright_session',\n    loginUrl = '/login',\n    unauthorizedUrl = '/unauthorized',\n  } = config;\n\n  return async function authMiddleware(request: NextRequest): Promise<NextResponse | undefined> {\n    const { pathname } = request.nextUrl;\n\n    // Check if route is public\n    if (rbacEngine.isPublicRoute(pathname)) {\n      return undefined; // Continue to next middleware\n    }\n\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n    let session: AuthSession | null = null;\n\n    if (sessionCookie) {\n      session = await sessionManager.deserialize(sessionCookie.value);\n    }\n\n    // Check if session is valid\n    if (!session || sessionManager.isExpired(session)) {\n      // Redirect to login\n      const url = request.nextUrl.clone();\n      url.pathname = loginUrl;\n      url.searchParams.set('redirect', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    // Check if user can access route\n    if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n      // Redirect to unauthorized\n      const url = request.nextUrl.clone();\n      url.pathname = unauthorizedUrl;\n      return NextResponse.redirect(url);\n    }\n\n    // Refresh session if needed\n    if (sessionManager.shouldRefresh(session)) {\n      const refreshed = await sessionManager.refreshSession(session);\n      const newJwt = await sessionManager.serialize(refreshed);\n\n      const response = NextResponse.next();\n      response.cookies.set(cookieName, newJwt, {\n        httpOnly: true,\n        secure: true,\n        sameSite: 'lax',\n        maxAge: 900, // 15 minutes\n      });\n\n      return response;\n    }\n\n    // Allow request to continue\n    return undefined;\n  };\n}\n","import type { NextApiRequest, NextApiResponse } from 'next';\nimport { SessionManager, RBACEngine, type AuthSession, type AuthUser } from '@stackwright-pro/auth';\n\nexport interface ProtectedRouteConfig {\n  /**\n   * Session manager for validating sessions\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * Required roles (user must have ANY of these)\n   */\n  roles?: string[];\n\n  /**\n   * Required permissions (user must have ALL of these)\n   */\n  permissions?: string[];\n\n  /**\n   * Cookie name (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * Optional RBAC engine for wildcard-aware role/permission checking.\n   * When provided, authorization decisions use RBACEngine (consistent\n   * with middleware). Without it, falls back to direct array checks.\n   */\n  rbacEngine?: RBACEngine;\n}\n\n/**\n * Handler function with authenticated session\n */\nexport type AuthenticatedHandler<T = any> = (\n  req: NextApiRequest,\n  res: NextApiResponse<T>,\n  session: AuthSession\n) => void | Promise<void>;\n\n/**\n * Wrap API route with authentication/authorization\n *\n * @example\n * ```typescript\n * // pages/api/equipment/[id].ts\n * export default protectedRoute(\n *   async (req, res, session) => {\n *     const equipment = await getEquipment(req.query.id);\n *     res.json(equipment);\n *   },\n *   {\n *     sessionManager,\n *     roles: ['ANALYST', 'ADMIN'],\n *   }\n * );\n * ```\n */\nexport function protectedRoute<T = any>(\n  handler: AuthenticatedHandler<T>,\n  config: ProtectedRouteConfig\n): (req: NextApiRequest, res: NextApiResponse) => Promise<void> {\n  const { sessionManager, roles, permissions, cookieName = 'stackwright_session' } = config;\n\n  return async (req: NextApiRequest, res: NextApiResponse) => {\n    // Extract session from cookie\n    const sessionCookie = req.cookies[cookieName];\n\n    if (!sessionCookie) {\n      res.status(401).json({ error: 'Not authenticated' } as any);\n      return;\n    }\n\n    // Verify session\n    const session = await sessionManager.deserialize(sessionCookie);\n\n    if (!session || sessionManager.isExpired(session)) {\n      res.status(401).json({ error: 'Session expired' } as any);\n      return;\n    }\n\n    // Check roles\n    if (roles && roles.length > 0) {\n      if (config.rbacEngine) {\n        // Use RBAC engine for consistent wildcard-aware checking\n        if (!config.rbacEngine.hasAnyRole(session.user, roles)) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      } else {\n        // Fallback: direct check (no wildcard support)\n        const hasRole = roles.some((role) => session.user.roles.includes(role));\n        if (!hasRole) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      }\n    }\n\n    // Check permissions\n    if (permissions && permissions.length > 0) {\n      if (config.rbacEngine) {\n        // Use RBAC engine for wildcard-aware permission checking\n        if (!config.rbacEngine.hasAllPermissions(session.user, permissions)) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      } else {\n        // Fallback: direct check (no wildcard support)\n        const hasAllPermissions = permissions.every((permission) =>\n          session.user.permissions?.includes(permission)\n        );\n        if (!hasAllPermissions) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      }\n    }\n\n    // Call handler with session\n    await handler(req, res, session);\n  };\n}\n","import type { NextApiResponse } from 'next';\nimport { serializeCookie, clearCookie, type CookieOptions } from '@stackwright-pro/auth';\n\n/**\n * Set session cookie in Next.js API response\n */\nexport function setSessionCookie(\n  res: NextApiResponse,\n  sessionJwt: string,\n  options: CookieOptions = {}\n): void {\n  const cookieName = options.name || 'stackwright_session';\n  const maxAge = options.maxAge || 900; // 15 minutes default\n\n  const cookie = serializeCookie(cookieName, sessionJwt, {\n    ...options,\n    maxAge,\n    httpOnly: true,\n    secure: true,\n    sameSite: 'lax',\n  });\n\n  res.setHeader('Set-Cookie', cookie);\n}\n\n/**\n * Clear session cookie in Next.js API response\n */\nexport function clearSessionCookie(\n  res: NextApiResponse,\n  options: Pick<CookieOptions, 'name' | 'domain' | 'path'> = {}\n): void {\n  const cookieName = options.name || 'stackwright_session';\n\n  const cookie = clearCookie(cookieName, options);\n\n  res.setHeader('Set-Cookie', cookie);\n}\n","export { createAuthMiddleware, type MiddlewareConfig } from './middleware.js';\nexport {\n  protectedRoute,\n  type ProtectedRouteConfig,\n  type AuthenticatedHandler,\n} from './api-helpers.js';\nexport { setSessionCookie, clearSessionCookie } from './cookie-utils.js';\n\n// Re-export commonly used types/classes from core\nexport type { AuthUser, AuthSession, AuthConfig } from '@stackwright-pro/auth';\n\n// Re-export RBAC engine\nexport { RBACEngine } from '@stackwright-pro/auth';\n\n// Re-export React context components for Next.js apps\nexport { AuthProvider, AuthContext, useAuth, useRequireAuth } from '@stackwright-pro/auth';\nexport type { AuthProviderProps, AuthContextValue } from '@stackwright-pro/auth';\n\n// App Router Route Handler helpers (replaces api-helpers for App Router users)\nexport {\n  protectedRouteHandler,\n  setSessionCookieOnResponse,\n  clearSessionCookieOnResponse,\n  type RouteHandlerConfig,\n  type AuthenticatedRouteHandler,\n} from './route-handlers.js';\n","import { type NextRequest, NextResponse } from 'next/server';\nimport { SessionManager, RBACEngine, type AuthSession } from '@stackwright-pro/auth';\n\nexport interface RouteHandlerConfig {\n  /**\n   * Session manager for validating sessions\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * Required roles (user must have ANY of these)\n   */\n  roles?: string[];\n\n  /**\n   * Required permissions (user must have ALL of these)\n   */\n  permissions?: string[];\n\n  /**\n   * Cookie name (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * Optional RBAC engine for wildcard-aware role/permission checking.\n   * When provided, authorization decisions use RBACEngine (consistent\n   * with middleware). Without it, falls back to direct array checks.\n   */\n  rbacEngine?: RBACEngine;\n}\n\n/**\n * Handler function with authenticated session — App Router Route Handler signature.\n */\nexport type AuthenticatedRouteHandler = (\n  request: NextRequest,\n  context: { params: Record<string, string> },\n  session: AuthSession\n) => Promise<Response> | Response;\n\n/**\n * Wrap an App Router Route Handler with authentication/authorization.\n *\n * This is the App Router equivalent of `protectedRoute()` from `api-helpers.ts`.\n *\n * @example\n * ```typescript\n * // app/api/equipment/[id]/route.ts\n * import { protectedRouteHandler } from '@stackwright-pro/auth-nextjs';\n *\n * export const GET = protectedRouteHandler(\n *   async (request, { params }, session) => {\n *     const equipment = await getEquipment(params.id);\n *     return NextResponse.json(equipment);\n *   },\n *   {\n *     sessionManager,\n *     roles: ['ANALYST', 'ADMIN'],\n *   }\n * );\n * ```\n */\nexport function protectedRouteHandler(\n  handler: AuthenticatedRouteHandler,\n  config: RouteHandlerConfig\n): (request: NextRequest, context: { params: Record<string, string> }) => Promise<Response> {\n  const {\n    sessionManager,\n    roles,\n    permissions,\n    cookieName = 'stackwright_session',\n    rbacEngine,\n  } = config;\n\n  return async (\n    request: NextRequest,\n    context: { params: Record<string, string> }\n  ): Promise<Response> => {\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n\n    if (!sessionCookie) {\n      return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });\n    }\n\n    // Verify session\n    const session = await sessionManager.deserialize(sessionCookie.value);\n\n    if (!session || sessionManager.isExpired(session)) {\n      return NextResponse.json({ error: 'Session expired' }, { status: 401 });\n    }\n\n    // Check roles\n    if (roles && roles.length > 0) {\n      if (rbacEngine) {\n        if (!rbacEngine.hasAnyRole(session.user, roles)) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      } else {\n        const hasRole = roles.some((role) => session.user.roles.includes(role));\n        if (!hasRole) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      }\n    }\n\n    // Check permissions\n    if (permissions && permissions.length > 0) {\n      if (rbacEngine) {\n        if (!rbacEngine.hasAllPermissions(session.user, permissions)) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      } else {\n        const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));\n        if (!hasAllPermissions) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      }\n    }\n\n    return handler(request, context, session);\n  };\n}\n\n/**\n * Set the session cookie on a `NextResponse` (App Router).\n *\n * This is the App Router equivalent of `setSessionCookie()` from `cookie-utils.ts`.\n *\n * @example\n * ```typescript\n * // app/api/auth/login/route.ts\n * import { setSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n *\n * export async function POST(request: NextRequest) {\n *   const session = await createSession(request);\n *   const jwt = await sessionManager.serialize(session);\n *   const response = NextResponse.json({ ok: true });\n *   return setSessionCookieOnResponse(response, jwt);\n * }\n * ```\n */\nexport function setSessionCookieOnResponse(\n  response: NextResponse,\n  sessionJwt: string,\n  options: {\n    cookieName?: string;\n    maxAge?: number;\n  } = {}\n): NextResponse {\n  const cookieName = options.cookieName ?? 'stackwright_session';\n  const maxAge = options.maxAge ?? 900; // 15 minutes\n\n  response.cookies.set(cookieName, sessionJwt, {\n    httpOnly: true,\n    secure: true,\n    sameSite: 'lax',\n    maxAge,\n  });\n\n  return response;\n}\n\n/**\n * Clear the session cookie on a `NextResponse` (App Router).\n *\n * This is the App Router equivalent of `clearSessionCookie()` from `cookie-utils.ts`.\n *\n * @example\n * ```typescript\n * // app/api/auth/logout/route.ts\n * import { clearSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n *\n * export async function POST() {\n *   const response = NextResponse.json({ ok: true });\n *   return clearSessionCookieOnResponse(response);\n * }\n * ```\n */\nexport function clearSessionCookieOnResponse(\n  response: NextResponse,\n  options: {\n    cookieName?: string;\n  } = {}\n): NextResponse {\n  const cookieName = options.cookieName ?? 'stackwright_session';\n  response.cookies.delete(cookieName);\n  return response;\n}\n"],"mappings":";AAAA,SAA2B,oBAAoB;AA2DxC,SAAS,qBAAqB,QAA0B;AAC7D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,eAAe,SAAyD;AAC5F,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,aAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;AC7DO,SAAS,eACd,SACA,QAC8D;AAC9D,QAAM,EAAE,gBAAgB,OAAO,aAAa,aAAa,sBAAsB,IAAI;AAEnF,SAAO,OAAO,KAAqB,QAAyB;AAE1D,UAAM,gBAAgB,IAAI,QAAQ,UAAU;AAE5C,QAAI,CAAC,eAAe;AAClB,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAQ;AAC1D;AAAA,IACF;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,aAAa;AAE9D,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAQ;AACxD;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AACtD,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AACnE,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,oBAAoB,YAAY;AAAA,UAAM,CAAC,eAC3C,QAAQ,KAAK,aAAa,SAAS,UAAU;AAAA,QAC/C;AACA,YAAI,CAAC,mBAAmB;AACtB,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,KAAK,KAAK,OAAO;AAAA,EACjC;AACF;;;AC1HA,SAAS,iBAAiB,mBAAuC;AAK1D,SAAS,iBACd,KACA,YACA,UAAyB,CAAC,GACpB;AACN,QAAM,aAAa,QAAQ,QAAQ;AACnC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,SAAS,gBAAgB,YAAY,YAAY;AAAA,IACrD,GAAG;AAAA,IACH;AAAA,IACA,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,UAAU,cAAc,MAAM;AACpC;AAKO,SAAS,mBACd,KACA,UAA2D,CAAC,GACtD;AACN,QAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAM,SAAS,YAAY,YAAY,OAAO;AAE9C,MAAI,UAAU,cAAc,MAAM;AACpC;;;ACzBA,SAAS,kBAAkB;AAG3B,SAAS,cAAc,aAAa,SAAS,sBAAsB;;;ACfnE,SAA2B,gBAAAA,qBAAoB;AA+DxC,SAAS,sBACd,SACA,QAC0F;AAC1F,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,EACF,IAAI;AAEJ,SAAO,OACL,SACA,YACsB;AAEtB,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AAEpD,QAAI,CAAC,eAAe;AAClB,aAAOA,cAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAEpE,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,aAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACxE;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AAC/C,iBAAOA,cAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,iBAAOA,cAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AAC5D,iBAAOA,cAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,oBAAoB,YAAY,MAAM,CAAC,MAAM,QAAQ,KAAK,aAAa,SAAS,CAAC,CAAC;AACxF,YAAI,CAAC,mBAAmB;AACtB,iBAAOA,cAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,QAAQ,SAAS,SAAS,OAAO;AAAA,EAC1C;AACF;AAoBO,SAAS,2BACd,UACA,YACA,UAGI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,QAAM,SAAS,QAAQ,UAAU;AAEjC,WAAS,QAAQ,IAAI,YAAY,YAAY;AAAA,IAC3C,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AAED,SAAO;AACT;AAkBO,SAAS,6BACd,UACA,UAEI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,WAAS,QAAQ,OAAO,UAAU;AAClC,SAAO;AACT;","names":["NextResponse"]}
+{"version":3,"sources":["../src/middleware.ts","../src/api-helpers.ts","../src/cookie-utils.ts","../src/index.ts","../src/route-handlers.ts"],"sourcesContent":["import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/**\n * Configuration for Next.js middleware-based auth (Next.js <16).\n *\n * @deprecated For Next.js >=16, use {@link ProxyConfig} with {@link createAuthProxy} instead.\n * The `middleware.ts` file convention is deprecated in Next.js 16.\n */\nexport type MiddlewareConfig = AuthHandlerConfig;\n\n/**\n * Create Next.js middleware for authentication and authorization.\n *\n * For Next.js 14–15 projects that use the `middleware.ts` file convention.\n *\n * @deprecated For Next.js >=16, use {@link createAuthProxy} instead.\n * The `middleware.ts` file convention is deprecated in Next.js 16 in favor of `proxy.ts`.\n *\n * @example\n * ```typescript\n * // middleware.ts (Next.js 14–15)\n * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthMiddleware({\n *   authConfig,\n *   sessionManager,\n *   rbacEngine,\n * });\n *\n * export const config = {\n *   matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthMiddleware(config: MiddlewareConfig) {\n  return createAuthHandler(config);\n}\n","import type { NextApiRequest, NextApiResponse } from 'next';\nimport { SessionManager, RBACEngine, type AuthSession, type AuthUser } from '@stackwright-pro/auth';\n\nexport interface ProtectedRouteConfig {\n  /**\n   * Session manager for validating sessions\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * Required roles (user must have ANY of these)\n   */\n  roles?: string[];\n\n  /**\n   * Required permissions (user must have ALL of these)\n   */\n  permissions?: string[];\n\n  /**\n   * Cookie name (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * Optional RBAC engine for wildcard-aware role/permission checking.\n   * When provided, authorization decisions use RBACEngine (consistent\n   * with middleware). Without it, falls back to direct array checks.\n   */\n  rbacEngine?: RBACEngine;\n}\n\n/**\n * Handler function with authenticated session\n */\nexport type AuthenticatedHandler<T = any> = (\n  req: NextApiRequest,\n  res: NextApiResponse<T>,\n  session: AuthSession\n) => void | Promise<void>;\n\n/**\n * Wrap API route with authentication/authorization\n *\n * @example\n * ```typescript\n * // pages/api/equipment/[id].ts\n * export default protectedRoute(\n *   async (req, res, session) => {\n *     const equipment = await getEquipment(req.query.id);\n *     res.json(equipment);\n *   },\n *   {\n *     sessionManager,\n *     roles: ['ANALYST', 'ADMIN'],\n *   }\n * );\n * ```\n */\nexport function protectedRoute<T = any>(\n  handler: AuthenticatedHandler<T>,\n  config: ProtectedRouteConfig\n): (req: NextApiRequest, res: NextApiResponse) => Promise<void> {\n  const { sessionManager, roles, permissions, cookieName = 'stackwright_session' } = config;\n\n  return async (req: NextApiRequest, res: NextApiResponse) => {\n    // Extract session from cookie\n    const sessionCookie = req.cookies[cookieName];\n\n    if (!sessionCookie) {\n      res.status(401).json({ error: 'Not authenticated' } as any);\n      return;\n    }\n\n    // Verify session\n    const session = await sessionManager.deserialize(sessionCookie);\n\n    if (!session || sessionManager.isExpired(session)) {\n      res.status(401).json({ error: 'Session expired' } as any);\n      return;\n    }\n\n    // Check roles\n    if (roles && roles.length > 0) {\n      if (config.rbacEngine) {\n        // Use RBAC engine for consistent wildcard-aware checking\n        if (!config.rbacEngine.hasAnyRole(session.user, roles)) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      } else {\n        // Fallback: direct check (no wildcard support)\n        const hasRole = roles.some((role) => session.user.roles.includes(role));\n        if (!hasRole) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      }\n    }\n\n    // Check permissions\n    if (permissions && permissions.length > 0) {\n      if (config.rbacEngine) {\n        // Use RBAC engine for wildcard-aware permission checking\n        if (!config.rbacEngine.hasAllPermissions(session.user, permissions)) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      } else {\n        // Fallback: direct check (no wildcard support)\n        const hasAllPermissions = permissions.every((permission) =>\n          session.user.permissions?.includes(permission)\n        );\n        if (!hasAllPermissions) {\n          res.status(403).json({ error: 'Insufficient permissions' } as any);\n          return;\n        }\n      }\n    }\n\n    // Call handler with session\n    await handler(req, res, session);\n  };\n}\n","import type { NextApiResponse } from 'next';\nimport { serializeCookie, clearCookie, type CookieOptions } from '@stackwright-pro/auth';\n\n/**\n * Set session cookie in Next.js API response\n */\nexport function setSessionCookie(\n  res: NextApiResponse,\n  sessionJwt: string,\n  options: CookieOptions = {}\n): void {\n  const cookieName = options.name || 'stackwright_session';\n  const maxAge = options.maxAge || 900; // 15 minutes default\n\n  const cookie = serializeCookie(cookieName, sessionJwt, {\n    ...options,\n    maxAge,\n    httpOnly: true,\n    secure: true,\n    sameSite: 'lax',\n  });\n\n  res.setHeader('Set-Cookie', cookie);\n}\n\n/**\n * Clear session cookie in Next.js API response\n */\nexport function clearSessionCookie(\n  res: NextApiResponse,\n  options: Pick<CookieOptions, 'name' | 'domain' | 'path'> = {}\n): void {\n  const cookieName = options.name || 'stackwright_session';\n\n  const cookie = clearCookie(cookieName, options);\n\n  res.setHeader('Set-Cookie', cookie);\n}\n","export { createAuthMiddleware, type MiddlewareConfig } from './middleware.js';\nexport { createAuthProxy, type ProxyConfig } from './proxy.js';\nexport { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\nexport {\n  protectedRoute,\n  type ProtectedRouteConfig,\n  type AuthenticatedHandler,\n} from './api-helpers.js';\nexport { setSessionCookie, clearSessionCookie } from './cookie-utils.js';\n\n// Re-export commonly used types/classes from core\nexport type { AuthUser, AuthSession, AuthConfig } from '@stackwright-pro/auth';\n\n// Re-export RBAC engine\nexport { RBACEngine } from '@stackwright-pro/auth';\n\n// Re-export React context components for Next.js apps\nexport { AuthProvider, AuthContext, useAuth, useRequireAuth } from '@stackwright-pro/auth';\nexport type { AuthProviderProps, AuthContextValue } from '@stackwright-pro/auth';\n\n// App Router Route Handler helpers (replaces api-helpers for App Router users)\nexport {\n  protectedRouteHandler,\n  setSessionCookieOnResponse,\n  clearSessionCookieOnResponse,\n  type RouteHandlerConfig,\n  type AuthenticatedRouteHandler,\n} from './route-handlers.js';\n","import { type NextRequest, NextResponse } from 'next/server';\nimport { SessionManager, RBACEngine, type AuthSession } from '@stackwright-pro/auth';\n\nexport interface RouteHandlerConfig {\n  /**\n   * Session manager for validating sessions\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * Required roles (user must have ANY of these)\n   */\n  roles?: string[];\n\n  /**\n   * Required permissions (user must have ALL of these)\n   */\n  permissions?: string[];\n\n  /**\n   * Cookie name (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * Optional RBAC engine for wildcard-aware role/permission checking.\n   * When provided, authorization decisions use RBACEngine (consistent\n   * with middleware). Without it, falls back to direct array checks.\n   */\n  rbacEngine?: RBACEngine;\n}\n\n/**\n * Handler function with authenticated session — App Router Route Handler signature.\n */\nexport type AuthenticatedRouteHandler = (\n  request: NextRequest,\n  context: { params: Record<string, string> },\n  session: AuthSession\n) => Promise<Response> | Response;\n\n/**\n * Wrap an App Router Route Handler with authentication/authorization.\n *\n * This is the App Router equivalent of `protectedRoute()` from `api-helpers.ts`.\n *\n * @example\n * ```typescript\n * // app/api/equipment/[id]/route.ts\n * import { protectedRouteHandler } from '@stackwright-pro/auth-nextjs';\n *\n * export const GET = protectedRouteHandler(\n *   async (request, { params }, session) => {\n *     const equipment = await getEquipment(params.id);\n *     return NextResponse.json(equipment);\n *   },\n *   {\n *     sessionManager,\n *     roles: ['ANALYST', 'ADMIN'],\n *   }\n * );\n * ```\n */\nexport function protectedRouteHandler(\n  handler: AuthenticatedRouteHandler,\n  config: RouteHandlerConfig\n): (request: NextRequest, context: { params: Record<string, string> }) => Promise<Response> {\n  const {\n    sessionManager,\n    roles,\n    permissions,\n    cookieName = 'stackwright_session',\n    rbacEngine,\n  } = config;\n\n  return async (\n    request: NextRequest,\n    context: { params: Record<string, string> }\n  ): Promise<Response> => {\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n\n    if (!sessionCookie) {\n      return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });\n    }\n\n    // Verify session\n    const session = await sessionManager.deserialize(sessionCookie.value);\n\n    if (!session || sessionManager.isExpired(session)) {\n      return NextResponse.json({ error: 'Session expired' }, { status: 401 });\n    }\n\n    // Check roles\n    if (roles && roles.length > 0) {\n      if (rbacEngine) {\n        if (!rbacEngine.hasAnyRole(session.user, roles)) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      } else {\n        const hasRole = roles.some((role) => session.user.roles.includes(role));\n        if (!hasRole) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      }\n    }\n\n    // Check permissions\n    if (permissions && permissions.length > 0) {\n      if (rbacEngine) {\n        if (!rbacEngine.hasAllPermissions(session.user, permissions)) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      } else {\n        const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));\n        if (!hasAllPermissions) {\n          return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n        }\n      }\n    }\n\n    return handler(request, context, session);\n  };\n}\n\n/**\n * Set the session cookie on a `NextResponse` (App Router).\n *\n * This is the App Router equivalent of `setSessionCookie()` from `cookie-utils.ts`.\n *\n * @example\n * ```typescript\n * // app/api/auth/login/route.ts\n * import { setSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n *\n * export async function POST(request: NextRequest) {\n *   const session = await createSession(request);\n *   const jwt = await sessionManager.serialize(session);\n *   const response = NextResponse.json({ ok: true });\n *   return setSessionCookieOnResponse(response, jwt);\n * }\n * ```\n */\nexport function setSessionCookieOnResponse(\n  response: NextResponse,\n  sessionJwt: string,\n  options: {\n    cookieName?: string;\n    maxAge?: number;\n  } = {}\n): NextResponse {\n  const cookieName = options.cookieName ?? 'stackwright_session';\n  const maxAge = options.maxAge ?? 900; // 15 minutes\n\n  response.cookies.set(cookieName, sessionJwt, {\n    httpOnly: true,\n    secure: true,\n    sameSite: 'lax',\n    maxAge,\n  });\n\n  return response;\n}\n\n/**\n * Clear the session cookie on a `NextResponse` (App Router).\n *\n * This is the App Router equivalent of `clearSessionCookie()` from `cookie-utils.ts`.\n *\n * @example\n * ```typescript\n * // app/api/auth/logout/route.ts\n * import { clearSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n *\n * export async function POST() {\n *   const response = NextResponse.json({ ok: true });\n *   return clearSessionCookieOnResponse(response);\n * }\n * ```\n */\nexport function clearSessionCookieOnResponse(\n  response: NextResponse,\n  options: {\n    cookieName?: string;\n  } = {}\n): NextResponse {\n  const cookieName = options.cookieName ?? 'stackwright_session';\n  response.cookies.delete(cookieName);\n  return response;\n}\n"],"mappings":";;;;;;AAkCO,SAAS,qBAAqB,QAA0B;AAC7D,SAAO,kBAAkB,MAAM;AACjC;;;ACuBO,SAAS,eACd,SACA,QAC8D;AAC9D,QAAM,EAAE,gBAAgB,OAAO,aAAa,aAAa,sBAAsB,IAAI;AAEnF,SAAO,OAAO,KAAqB,QAAyB;AAE1D,UAAM,gBAAgB,IAAI,QAAQ,UAAU;AAE5C,QAAI,CAAC,eAAe;AAClB,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAQ;AAC1D;AAAA,IACF;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,aAAa;AAE9D,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAQ;AACxD;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AACtD,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AACnE,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,oBAAoB,YAAY;AAAA,UAAM,CAAC,eAC3C,QAAQ,KAAK,aAAa,SAAS,UAAU;AAAA,QAC/C;AACA,YAAI,CAAC,mBAAmB;AACtB,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,KAAK,KAAK,OAAO;AAAA,EACjC;AACF;;;AC1HA,SAAS,iBAAiB,mBAAuC;AAK1D,SAAS,iBACd,KACA,YACA,UAAyB,CAAC,GACpB;AACN,QAAM,aAAa,QAAQ,QAAQ;AACnC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,SAAS,gBAAgB,YAAY,YAAY;AAAA,IACrD,GAAG;AAAA,IACH;AAAA,IACA,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,UAAU,cAAc,MAAM;AACpC;AAKO,SAAS,mBACd,KACA,UAA2D,CAAC,GACtD;AACN,QAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAM,SAAS,YAAY,YAAY,OAAO;AAE9C,MAAI,UAAU,cAAc,MAAM;AACpC;;;ACvBA,SAAS,kBAAkB;AAG3B,SAAS,cAAc,aAAa,SAAS,sBAAsB;;;ACjBnE,SAA2B,oBAAoB;AA+DxC,SAAS,sBACd,SACA,QAC0F;AAC1F,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,EACF,IAAI;AAEJ,SAAO,OACL,SACA,YACsB;AAEtB,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AAEpD,QAAI,CAAC,eAAe;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAEpE,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,aAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACxE;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AAC/C,iBAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,iBAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AAC5D,iBAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,oBAAoB,YAAY,MAAM,CAAC,MAAM,QAAQ,KAAK,aAAa,SAAS,CAAC,CAAC;AACxF,YAAI,CAAC,mBAAmB;AACtB,iBAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,QAAQ,SAAS,SAAS,OAAO;AAAA,EAC1C;AACF;AAoBO,SAAS,2BACd,UACA,YACA,UAGI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,QAAM,SAAS,QAAQ,UAAU;AAEjC,WAAS,QAAQ,IAAI,YAAY,YAAY;AAAA,IAC3C,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AAED,SAAO;AACT;AAkBO,SAAS,6BACd,UACA,UAEI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,WAAS,QAAQ,OAAO,UAAU;AAClC,SAAO;AACT;","names":[]}

package/dist/proxy-Blj2kIJp.d.mts

@@ -0,0 +1,67 @@
+import * as next_server_js from 'next/server.js';
+import { NextRequest, NextResponse } from 'next/server';
+import { AuthConfig, SessionManager, RBACEngine } from '@stackwright-pro/auth';
+
+interface AuthHandlerConfig {
+    /**
+     * Auth configuration
+     */
+    authConfig: AuthConfig;
+    /**
+     * Session manager instance
+     */
+    sessionManager: SessionManager;
+    /**
+     * RBAC engine instance
+     */
+    rbacEngine: RBACEngine;
+    /**
+     * Cookie name for session (default: 'stackwright_session')
+     */
+    cookieName?: string;
+    /**
+     * URL to redirect to when authentication fails (default: '/login')
+     */
+    loginUrl?: string;
+    /**
+     * URL to redirect to when authorization fails (default: '/unauthorized')
+     */
+    unauthorizedUrl?: string;
+}
+/**
+ * Core auth handler shared by both the middleware (Next.js <16) and
+ * proxy (Next.js >=16) conventions.
+ *
+ * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.
+ */
+declare function createAuthHandler(config: AuthHandlerConfig): (request: NextRequest) => Promise<NextResponse | undefined>;
+
+/**
+ * Configuration for Next.js proxy-based auth (Next.js >=16).
+ */
+type ProxyConfig = AuthHandlerConfig;
+/**
+ * Create a Next.js proxy handler for authentication and authorization.
+ *
+ * For Next.js >=16 projects that use the `proxy.ts` file convention,
+ * replacing the deprecated `middleware.ts` convention.
+ *
+ * @example
+ * ```typescript
+ * // proxy.ts (Next.js >=16)
+ * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';
+ *
+ * export default createAuthProxy({
+ *   authConfig,
+ *   sessionManager,
+ *   rbacEngine,
+ * });
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next|api/auth).*)'],
+ * };
+ * ```
+ */
+declare function createAuthProxy(config: ProxyConfig): (request: next_server_js.NextRequest) => Promise<next_server_js.NextResponse | undefined>;
+
+export { type AuthHandlerConfig as A, type ProxyConfig as P, createAuthProxy as a, createAuthHandler as c };

package/dist/proxy-Blj2kIJp.d.ts

@@ -0,0 +1,67 @@
+import * as next_server_js from 'next/server.js';
+import { NextRequest, NextResponse } from 'next/server';
+import { AuthConfig, SessionManager, RBACEngine } from '@stackwright-pro/auth';
+
+interface AuthHandlerConfig {
+    /**
+     * Auth configuration
+     */
+    authConfig: AuthConfig;
+    /**
+     * Session manager instance
+     */
+    sessionManager: SessionManager;
+    /**
+     * RBAC engine instance
+     */
+    rbacEngine: RBACEngine;
+    /**
+     * Cookie name for session (default: 'stackwright_session')
+     */
+    cookieName?: string;
+    /**
+     * URL to redirect to when authentication fails (default: '/login')
+     */
+    loginUrl?: string;
+    /**
+     * URL to redirect to when authorization fails (default: '/unauthorized')
+     */
+    unauthorizedUrl?: string;
+}
+/**
+ * Core auth handler shared by both the middleware (Next.js <16) and
+ * proxy (Next.js >=16) conventions.
+ *
+ * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.
+ */
+declare function createAuthHandler(config: AuthHandlerConfig): (request: NextRequest) => Promise<NextResponse | undefined>;
+
+/**
+ * Configuration for Next.js proxy-based auth (Next.js >=16).
+ */
+type ProxyConfig = AuthHandlerConfig;
+/**
+ * Create a Next.js proxy handler for authentication and authorization.
+ *
+ * For Next.js >=16 projects that use the `proxy.ts` file convention,
+ * replacing the deprecated `middleware.ts` convention.
+ *
+ * @example
+ * ```typescript
+ * // proxy.ts (Next.js >=16)
+ * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';
+ *
+ * export default createAuthProxy({
+ *   authConfig,
+ *   sessionManager,
+ *   rbacEngine,
+ * });
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next|api/auth).*)'],
+ * };
+ * ```
+ */
+declare function createAuthProxy(config: ProxyConfig): (request: next_server_js.NextRequest) => Promise<next_server_js.NextResponse | undefined>;
+
+export { type AuthHandlerConfig as A, type ProxyConfig as P, createAuthProxy as a, createAuthHandler as c };

package/dist/proxy.d.mts

@@ -0,0 +1,4 @@
+import 'next/server.js';
+export { P as ProxyConfig, a as createAuthProxy } from './proxy-Blj2kIJp.mjs';
+import 'next/server';
+import '@stackwright-pro/auth';

package/dist/proxy.d.ts

@@ -0,0 +1,4 @@
+import 'next/server.js';
+export { P as ProxyConfig, a as createAuthProxy } from './proxy-Blj2kIJp.js';
+import 'next/server';
+import '@stackwright-pro/auth';

package/dist/proxy.js

@@ -0,0 +1,83 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/proxy.ts
+var proxy_exports = {};
+__export(proxy_exports, {
+  createAuthProxy: () => createAuthProxy
+});
+module.exports = __toCommonJS(proxy_exports);
+
+// src/auth-handler.ts
+var import_server = require("next/server");
+function createAuthHandler(config) {
+  const {
+    sessionManager,
+    rbacEngine,
+    cookieName = "stackwright_session",
+    loginUrl = "/login",
+    unauthorizedUrl = "/unauthorized"
+  } = config;
+  return async function authHandler(request) {
+    const { pathname } = request.nextUrl;
+    if (rbacEngine.isPublicRoute(pathname)) {
+      return void 0;
+    }
+    const sessionCookie = request.cookies.get(cookieName);
+    let session = null;
+    if (sessionCookie) {
+      session = await sessionManager.deserialize(sessionCookie.value);
+    }
+    if (!session || sessionManager.isExpired(session)) {
+      const url = request.nextUrl.clone();
+      url.pathname = loginUrl;
+      url.searchParams.set("redirect", pathname);
+      return import_server.NextResponse.redirect(url);
+    }
+    if (!rbacEngine.canAccessRoute(session.user, pathname)) {
+      const url = request.nextUrl.clone();
+      url.pathname = unauthorizedUrl;
+      return import_server.NextResponse.redirect(url);
+    }
+    if (sessionManager.shouldRefresh(session)) {
+      const refreshed = await sessionManager.refreshSession(session);
+      const newJwt = await sessionManager.serialize(refreshed);
+      const response = import_server.NextResponse.next();
+      response.cookies.set(cookieName, newJwt, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax",
+        maxAge: 900
+        // 15 minutes
+      });
+      return response;
+    }
+    return void 0;
+  };
+}
+
+// src/proxy.ts
+function createAuthProxy(config) {
+  return createAuthHandler(config);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthProxy
+});
+//# sourceMappingURL=proxy.js.map

package/dist/proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/proxy.ts","../src/auth-handler.ts"],"sourcesContent":["import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/**\n * Configuration for Next.js proxy-based auth (Next.js >=16).\n */\nexport type ProxyConfig = AuthHandlerConfig;\n\n/**\n * Create a Next.js proxy handler for authentication and authorization.\n *\n * For Next.js >=16 projects that use the `proxy.ts` file convention,\n * replacing the deprecated `middleware.ts` convention.\n *\n * @example\n * ```typescript\n * // proxy.ts (Next.js >=16)\n * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthProxy({\n *   authConfig,\n *   sessionManager,\n *   rbacEngine,\n * });\n *\n * export const config = {\n *   matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthProxy(config: ProxyConfig) {\n  return createAuthHandler(config);\n}\n","import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  SessionManager,\n  RBACEngine,\n  type AuthConfig,\n  type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface AuthHandlerConfig {\n  /**\n   * Auth configuration\n   */\n  authConfig: AuthConfig;\n\n  /**\n   * Session manager instance\n   */\n  sessionManager: SessionManager;\n\n  /**\n   * RBAC engine instance\n   */\n  rbacEngine: RBACEngine;\n\n  /**\n   * Cookie name for session (default: 'stackwright_session')\n   */\n  cookieName?: string;\n\n  /**\n   * URL to redirect to when authentication fails (default: '/login')\n   */\n  loginUrl?: string;\n\n  /**\n   * URL to redirect to when authorization fails (default: '/unauthorized')\n   */\n  unauthorizedUrl?: string;\n}\n\n/**\n * Core auth handler shared by both the middleware (Next.js <16) and\n * proxy (Next.js >=16) conventions.\n *\n * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.\n */\nexport function createAuthHandler(config: AuthHandlerConfig) {\n  const {\n    sessionManager,\n    rbacEngine,\n    cookieName = 'stackwright_session',\n    loginUrl = '/login',\n    unauthorizedUrl = '/unauthorized',\n  } = config;\n\n  return async function authHandler(request: NextRequest): Promise<NextResponse | undefined> {\n    const { pathname } = request.nextUrl;\n\n    // Check if route is public\n    if (rbacEngine.isPublicRoute(pathname)) {\n      return undefined; // Continue to next handler\n    }\n\n    // Extract session from cookie\n    const sessionCookie = request.cookies.get(cookieName);\n    let session: AuthSession | null = null;\n\n    if (sessionCookie) {\n      session = await sessionManager.deserialize(sessionCookie.value);\n    }\n\n    // Check if session is valid\n    if (!session || sessionManager.isExpired(session)) {\n      // Redirect to login\n      const url = request.nextUrl.clone();\n      url.pathname = loginUrl;\n      url.searchParams.set('redirect', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    // Check if user can access route\n    if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n      // Redirect to unauthorized\n      const url = request.nextUrl.clone();\n      url.pathname = unauthorizedUrl;\n      return NextResponse.redirect(url);\n    }\n\n    // Refresh session if needed\n    if (sessionManager.shouldRefresh(session)) {\n      const refreshed = await sessionManager.refreshSession(session);\n      const newJwt = await sessionManager.serialize(refreshed);\n\n      const response = NextResponse.next();\n      response.cookies.set(cookieName, newJwt, {\n        httpOnly: true,\n        secure: true,\n        sameSite: 'lax',\n        maxAge: 900, // 15 minutes\n      });\n\n      return response;\n    }\n\n    // Allow request to continue\n    return undefined;\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAA+C;AA8CxC,SAAS,kBAAkB,QAA2B;AAC3D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,YAAY,SAAyD;AACzF,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,2BAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;AD9EO,SAAS,gBAAgB,QAAqB;AACnD,SAAO,kBAAkB,MAAM;AACjC;","names":[]}

package/dist/proxy.mjs

@@ -0,0 +1,7 @@
+import {
+  createAuthProxy
+} from "./chunk-MFZSH4YL.mjs";
+export {
+  createAuthProxy
+};
+//# sourceMappingURL=proxy.mjs.map

package/dist/proxy.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackwright-pro/auth-nextjs",
-  "version": "0.2.0-alpha.7",
+  "version": "0.3.0-alpha.0",
   "description": "Next.js adapter for Stackwright Pro authentication",
   "license": "SEE LICENSE IN LICENSE",
   "main": "./dist/index.js",
@@ -11,19 +11,25 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.mjs",
       "require": "./dist/index.js"
+    },
+    "./proxy": {
+      "types": "./dist/proxy.d.ts",
+      "import": "./dist/proxy.mjs",
+      "require": "./dist/proxy.js"
     }
   },
   "files": [
     "dist"
   ],
   "dependencies": {
-    "@stackwright-pro/auth": "0.2.0-alpha.5"
+    "@stackwright-pro/auth": "0.2.0-alpha.11"
   },
   "devDependencies": {
-    "@types/node": "^25.4.0",
+    "@types/node": "^25.9.2",
+    "reflect-metadata": "^0.2.2",
     "tsup": "^8.5.1",
     "typescript": "^6.0.3",
-    "vitest": "^4.0.18"
+    "vitest": "^4.1.8"
   },
   "peerDependencies": {
     "next": ">=14.0.0 <16.0.0-beta.0 || >=16.2.3",